cbcvebase.
CVE-2019-13132
published 2019-07-10

CVE-2019-13132: In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
42.46%
98.5th percentile
In ZeroMQ libzmq before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.3.2, a remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library. Users running public servers with the above configuration are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

Affected

13 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debianzeromq3< zeromq3 4.3.1-5 (bookworm)zeromq3 4.3.1-5 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
zeromqlibzmq< 4.0.94.0.9
zeromqlibzmq>= 4.1.0 < 4.1.74.1.7
zeromqlibzmq>= 4.2.0 < 4.3.24.3.2

Detection & IOCsextracted from sources · hover to see the quote

port6666
pathsrc/v2_decoder.cpp
urlhttps://github.com/zeromq/libzmq/issues/3351
bytes
0xFF 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x01 0x01 0x00
bytes
0x02 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF
  • Detect exploit attempts by monitoring for ZMTP v2 frames with msg_size set to 0xFFFFFFFFFFFFFFFF (all-0xFF 8-byte size field) immediately following a 0x02 flag byte, indicating an integer overflow attempt in v2_decoder_t::size_ready().
  • Detect the malformed ZMTP greeting: a 12-byte sequence starting with 0xFF followed by 8 zero bytes, then 0x01 0x01 0x00, which selects ZMTP_2_0 and triggers the vulnerable code path on servers with CURVE encryption/authentication enabled.
  • The exploit overwrites the zmq::msg_t::content_t struct (fields: data, size, ffn function pointer, hint) located immediately after the receive buffer. Monitor for crashes or unexpected function pointer calls in libzmq processes after receiving oversized ZMTP v2 messages.
  • The vulnerability is exploitable only on libzmq sockets with CURVE encryption/authentication enabled. Audit deployments for public-facing ZMQ sockets using CURVE and prioritize patching to libzmq >= 4.0.9, >= 4.1.7, or >= 4.3.2.
  • The exploit sends exactly 8183 bytes of padding payload after the oversized msg_size to reach the content_t struct boundary. Network signatures should look for TCP streams to ZMQ ports containing a v2 frame with 0xFF*8 size followed by ~8183 bytes of data.
  • ·The exploit requires knowledge of target process memory addresses (e.g., strcpy, system, .data section) to achieve code execution; ASLR significantly raises the bar unless a separate information-disclosure vulnerability is present.
  • ·The vulnerability is only triggerable on libzmq servers with CURVE encryption/authentication enabled; servers without CURVE are not affected by this specific attack vector.
  • ·The overflow does not corrupt dlmalloc metadata (bk/fd pointers) and would not trigger AddressSanitizer, making heap-based detection tools ineffective for catching this exploit in flight.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.